FBI Dad's Misadventures With Spyware Exposed School Principal's Child Porn

nonprofiteer writes "This is a crazy story. An FBI agent put spyware on his kid's school-issued laptop in order to monitor his Internet use. Before returning the laptop to the school, he tried to wipe the program (SpectorSoft's eBlaster) by having FBI agents scrub the computer and by taking it to a computer repair shop to be re-imaged. It somehow survived and began sending him reports a week later about child porn searches. He winds up busting the school principal for child porn despite never getting a warrant, subpoena, etc. The case was a gift-wrapped present, thanks to spyware. A judge says the principal has no 4th Amendment protection because 1. FBI dad originally installed spyware as a private citizen not an officer and 2. he had no reasonable expectation of privacy on a computer he didn't own/obtained by fraud."

Re:I'm still trying to wrap my brain around...

[Synerg1y]

It was left on deliberately in an attempt to spy on random U.S. citizens and collect data.

Or.. or... The computer repair shop doesn't know what they're doing

My money's on it's something like this

Re:I'm still trying to wrap my brain around...

[icebike]

...the spyware surviving a cleaning by a computer repair shop and the FBI...

Pretty astounding, when you consider he knew what he installed and it comes with de-install directions.
Quoting the FAQ:

Tamper-Proof Technology
eBLASTER does not show up as an icon, does not appear in the Windows system tray, does not appear in Windows Programs, does not show up in the Windows task list, cannot be uninstalled without the eBLASTER password YOU specify, and eBLASTER does not slow down the operation of the computer it is recording. eBLASTER does not initiate connections to the Internet and will only forward email and send activity reports when the monitored computer is already connected to the Internet. All of these features make it extremely difficult for unauthorized users to locate and/or remove eBLASTER.

Re-imaging the computer from original installation media should have done it, but I suspect that the shop he took it to did not have
that media, or the Certificate and wasn't about to use their own copy, and simply removed the user account.

I can see the FBI not wanting to waste their time and resources on what was his personal project, and sent him to a private shop.
Good on them if that's how it went down.

But the guy running that private shop might be open to a civil suit by the principal.

Re:I'm still trying to wrap my brain around...

[fahrbot-bot]

...the spyware surviving a cleaning by a computer repair shop and the FBI...

It was left on deliberately in an attempt to spy on random U.S. citizens and collect data.
Or.. or... The computer repair shop doesn't know what they're doing.

And/or... (more chillingly) The FBI doesn't know what they're doing.

Re:Fraud?

I work for the FBI, and while I am not familiar with this incident, I'm pretty sure there will be some administrative inquiry into misuse of gov't time & resources, especially since it has made us look bad in the press. I'll have to wait for the next quarterly report on ethic violations (which are always hilarious to read, some people are fucking idiots).

Re:Bios flashed spyware?

[Culture20]

The main way that rootkits survive a total hard disk format is because they're running at the time - any decent rootkit is more than able to stop a simple format from removing it simply by intercepting any parts of the format which target it, and returning OK signals. [...] if the FBI or PC store simply formatted it through, say, re-formatting the drive by running the Windows setup disk, then a kernel level rootkit would happily stay in-tact in this manner.

If they used the Windows setup disk to nuke the drive, how did the rootkit get on the DVD? How did the rootkit stay running after a reboot? You're almost on the right track, but BIOS/EFI infection is the answer you're looking for (or HDD firmware). The rootkit has to be running before any OS boots up. Even a boot-sector virus won't survive a disk-wipe, so there had to be a re-infection method.

Re:Fraud?

They might well understand about DBAN. However, this is what I think happened. The last paragraph is most important.

Something like this is likely as not what happened:

FBI dad is sent to "Saipan in the U.S. territory of the Northern Mariana Islands", an FBI office with three agents and a manager. FBI dad installs spyware on kid's school computer. FBI dad is transferred to new location. He goes to his friends in the local FBI office and asks them to scrub the computer. Either A) there aren't any FBI computer experts in Saipan (quite possible), or the local expert says, "I can wipe it, and I could run the restore software, but there's software on there the school installed that I don't have the disks or licenses for. Take it to a local laptop shop."

FBI Dad takes it to the local shop and says, "I want it restored to what it was like when my kid got it", or "I want you to wipe all my kids info off this laptop", or something similar. They say, "We'll do our best." They have the same problem the FBI expert has. If they DBAN the drive, they could destroy the restore partition, and they won't be able to reinstall the school-installed software. If they run the restore partition, the laptop is like it was before the school got it, and they still won't be able to reinstall the school-installed software. So, they remove all personal data and uninstall all software they think the school didn't install. Maybe they spot the spyware and think it is school installed, maybe they don't spot it, maybe they spot it and try to uninstall it, but instead of uninstalling it hides.

Regardless, they remove what they can without destroying the school-installed software and return it to FBI dad. He returns it to the school. Hilarity ensues.

Slashdot readers read a non-technical report on what happened, written by a non-technical writer, who got his information from non-technical reports made by yet more non-technical people, treats it as if the entire report is completely accurate and all technical terms used correctly, and more hilarity ensues.

Re:I'm still trying to wrap my brain around...

[dyingtolive]

I think you give computer shops WAAAAY too much credit. I worked at one about 6 years back as the lead service tech The guys I worked with wouldn't even have recognized an OS that wasn't Windows XP, let alone understand what dd is or what can be done with it.